Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

This focused-ion-beam workstation was among the tools Christopher Tarnovsky used to crack a secure chip.

Since it’s so hard to analyze the security of ever-changing software configurations (see “Measuring Security”), many researchers are pursuing hardware-based security. They believe that hardware can be made simpler than software, is easier to verify, and is harder to hack once it’s deployed.

One example of this strategy is the use of smart cards and USB tokens as an alternative to usernames and passwords. The U.S. Department of Defense uses such methods to control access to sensitive websites and to digitally sign and encrypt e-mail. Another approach is the Trusted Platform Module (TPM), a fingernail-­size microchip that can be built into computers. An advantage of TPM is that the chips are already in many laptop and desktop computers, as well as in game consoles such as the Xbox 360. The modules give each of these systems an unforgeable serial number and a secure place to store digital cryptographic keys, which can then be used instead of passwords.

Unlike smart cards and USB tokens, TPMs can also be used for something called “remote attestation,” which lets a computer prove to another that its operating system hasn’t been modified by a third party. And since TPMs are already widely deployed, they represent the best immediate hope for hardware-based security.

Unfortunately, relatively few applications take advantage of these modules, but people in both industry and academia are looking to change that. For example, MIT professor Srini Devadas and his students have shown how TPM microchips can improve security without requiring the operating system to be secure–an important step forward, since today’s operating systems are too complex to be secured completely. Such a system might make online banking safer for consumers, for example. And last year researchers from the Technical University Munich in Germany showed how to use the modules with OpenID, an authentication protocol increasingly used by blogs and many of the smaller social-networking websites.

It takes a significant effort to crack the chips, as Christopher Tarnovsky, a former U.S. Army computer security specialist, demonstrated in February. By dissolving the chip’s outer casing with acid, removing a protective inner mesh with rust remover, and tapping the communications channels with tiny needles, Tarnovsky was able to force a module to release its secret information. Such an attack might let someone who had stolen a laptop unlock remote websites or pose as the laptop’s owner, but fortunately, it would be impractical to do this on a large scale.

0 comments about this story. Start the discussion »

Credit: Courtesy of FlyLogic

Tagged: Computing

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me